MyBB Community Forums - Found several shells in my website's FTP.

Pages: 1 2

Hi there.

Well recently I have been looking through my FTP account after having lost the account information for a few days.
I then realised there was a strange looking text file inside my FTP. I opened the .txt file and this is what is said:

[Image: PLVa8.png]

I immediately took action and removed the file from my FTP. I also noticed some other strange looking .php files named "c10.php", etc. Another file was named "shell.png.jpg", and when I opened the image it said it was unviewable. Another two files, one named "uni.php" and another was named "ini.php". I removed them all but I'm now wondering how the files had managed to make their way into my FTP to begin with.

I have updated my passwords, and I keep them updated regularly;
I also install the plugins which are on MyBBSecurity.net;
I regularly check for plugin updates and I check my templates; and
I have renamed my admin directory just in-case anything were to happen.

Here is a link to my forum: http://uzigaming.net/

What else can I do in order to prevent this sort of issue occurring again? I wouldn't like my forum to be exploited.

Also; My plugin files and language files for my plugins are scattered all over my FTP and it says my "inc" folder is completely empty. I'm not 100% certain on how I may reposition all of my plugin files. What happens if the 'hacker' has managed to make his way into my FTP, edit some of the normal website's files so they contain shells, and then scatter them everywhere? Is that possible? Will it be fixable?

EDIT: I got access logs from HostGator, these are the following files containing shells:

/home/uzi/public_html/uploads/awards/shell.php.jpg
/home/uzi/public_html/uploads/ficons/shell.php.jpg
/home/uzi/public_html/inc/3rdparty/diff/Diff/Engine/shell.php
/home/uzi/public_html/shell.php
/home/uzi/public_html/uploads/awards/k1r4_ftpquickbrute_13.04.2012_19_35_31

I cannot access my "inc" folder though, and no shells appear in "public_html". What should I do?

Original thread: http://www.mybbsecurity.net/topic-found-...site-s-ftp

Thank you for your time.

Regards,
Uzi.

Disable your awards and ficons plugins, right now. Wipe the files from your system.
Do a file verification check in the admin panel and report back here with results.
Also, hi uzi. xSolidus here.

(2012-05-09, 10:15 PM)Solidus Wrote: [ -> ]Disable your awards and ficons plugins, right now. Wipe the files from your system.
Do a file verification check in the admin panel and report back here with results.
Also, hi uzi. xSolidus here.

Oh hi there, Solidus! Anyway, I've done a 'File Verification Check', it says a lot of my files are missing:

<snip>

I'm not too sure about removing the forum icons and the awards system, as I don't want to have to manually add all of the awards back again, one by one. Sad

Images don't matter, but these are alarming.

inc/3rdparty/diff/Diff/Engine/index.html Missing
inc/3rdparty/diff/Diff/Engine/native.php Missing
inc/3rdparty/diff/Diff/Engine/shell.php Missing
inc/3rdparty/diff/Diff/Engine/string.php Missing
inc/3rdparty/diff/Diff/Engine/xdiff.php Missing
inc/3rdparty/diff/Diff/Mapped.php Missing
inc/3rdparty/diff/Diff/Renderer/index.html Missing
inc/3rdparty/diff/Diff/Renderer/inline.php Missing
inc/3rdparty/diff/Diff/Renderer/unified.php Missing
inc/3rdparty/diff/Diff/Renderer.php Missing
inc/3rdparty/diff/Diff/ThreeWay.php Missing
inc/3rdparty/diff/Diff/index.html Missing
inc/3rdparty/diff/Diff.php Missing
inc/3rdparty/diff/Diff3.php Missing
inc/3rdparty/diff/index.html Missing
inc/3rdparty/index.html Missing
inc/adminfunctions_templates.php Missing
inc/cachehandlers/disk.php Missing
inc/cachehandlers/eaccelerator.php Missing
inc/cachehandlers/index.html Missing
inc/cachehandlers/memcache.php Missing
inc/cachehandlers/xcache.php Missing
inc/captcha_fonts/MINYN___.ttf Missing
inc/captcha_fonts/edmunds.ttf Missing
inc/captcha_fonts/index.html Missing
inc/captcha_fonts/read_me.html Missing
inc/class_bitwise.php Missing
inc/class_captcha.php Missing
inc/class_core.php Missing
inc/class_custommoderation.php Missing
inc/class_datacache.php Missing
inc/class_error.php Missing
inc/class_feedgeneration.php Missing
inc/class_feedparser.php Missing
inc/class_graph.php Missing
inc/class_language.php Missing
inc/class_mailhandler.php Missing
inc/class_moderation.php Missing
inc/class_parser.php Missing
inc/class_plugins.php Missing
inc/class_session.php Missing
inc/class_templates.php Missing
inc/class_timers.php Missing
inc/class_xml.php Missing
inc/datahandler.php Missing
inc/datahandlers/event.php Missing
inc/datahandlers/index.html Missing
inc/datahandlers/pm.php Missing
inc/datahandlers/post.php Missing
inc/datahandlers/user.php Missing
inc/db_mysql.php Missing
inc/db_mysqli.php Missing
inc/db_pdo.php Missing
inc/db_pgsql.php Missing
inc/db_sqlite.php Missing
inc/functions.php Missing
inc/functions_archive.php Missing
inc/functions_calendar.php Missing
inc/functions_compat.php Missing
inc/functions_forumlist.php Missing
inc/functions_image.php Missing
inc/functions_indicators.php Missing
inc/functions_massmail.php Missing
inc/functions_modcp.php Missing
inc/functions_online.php Missing
inc/functions_post.php Missing
inc/functions_posting.php Missing
inc/functions_rebuild.php Missing
inc/functions_search.php Missing
inc/functions_serverstats.php Missing
inc/functions_task.php Missing
inc/functions_time.php Missing
inc/functions_upload.php Missing
inc/functions_user.php Missing
inc/functions_warnings.php Missing
inc/index.html Missing
inc/init.php Missing
inc/languages/english/admin/config_attachment_types.lang.php Missing
inc/languages/english/admin/config_badwords.lang.php Missing
inc/languages/english/admin/config_banning.lang.php Missing
inc/languages/english/admin/config_calendars.lang.php Missing
inc/languages/english/admin/config_help_documents.lang.php Missing
inc/languages/english/admin/config_languages.lang.php Missing
inc/languages/english/admin/config_mod_tools.lang.php Missing
inc/languages/english/admin/config_module_meta.lang.php Missing
inc/languages/english/admin/config_mycode.lang.php Missing
inc/languages/english/admin/config_plugins.lang.php Missing
inc/languages/english/admin/config_post_icons.lang.php Missing
inc/languages/english/admin/config_profile_fields.lang.php Missing
inc/languages/english/admin/config_settings.lang.php Missing
inc/languages/english/admin/config_smilies.lang.php Missing
inc/languages/english/admin/config_spiders.lang.php Missing
inc/languages/english/admin/config_thread_prefixes.lang.php Missing
inc/languages/english/admin/config_warning.lang.php Missing
inc/languages/english/admin/forum_akismet.lang.php Missing
inc/languages/english/admin/forum_announcements.lang.php Missing
inc/languages/english/admin/forum_attachments.lang.php Missing
inc/languages/english/admin/forum_management.lang.php Missing
inc/languages/english/admin/forum_moderation_queue.lang.php Missing
inc/languages/english/admin/forum_module_meta.lang.php Missing
inc/languages/english/admin/global.lang.php Missing
inc/languages/english/admin/home_credits.lang.php Missing
inc/languages/english/admin/home_dashboard.lang.php Missing
inc/languages/english/admin/home_module_meta.lang.php Missing
inc/languages/english/admin/home_preferences.lang.php Missing
inc/languages/english/admin/home_version_check.lang.php Missing
inc/languages/english/admin/index.html Missing
inc/languages/english/admin/style_module_meta.lang.php Missing
inc/languages/english/admin/style_templates.lang.php Missing
inc/languages/english/admin/style_themes.lang.php Missing
inc/languages/english/admin/tools_adminlog.lang.php Missing
inc/languages/english/admin/tools_backupdb.lang.php Missing
inc/languages/english/admin/tools_cache.lang.php Missing
inc/languages/english/admin/tools_file_verification.lang.php Missing
inc/languages/english/admin/tools_mailerrors.lang.php Missing
inc/languages/english/admin/tools_maillogs.lang.php Missing
inc/languages/english/admin/tools_modlog.lang.php Missing
inc/languages/english/admin/tools_module_meta.lang.php Missing
inc/languages/english/admin/tools_optimizedb.lang.php Missing
inc/languages/english/admin/tools_php_info.lang.php Missing
inc/languages/english/admin/tools_recount_rebuild.lang.php Missing
inc/languages/english/admin/tools_statistics.lang.php Missing
inc/languages/english/admin/tools_system_health.lang.php Missing
inc/languages/english/admin/tools_tasks.lang.php Missing
inc/languages/english/admin/tools_warninglog.lang.php Missing
inc/languages/english/admin/user_admin_permissions.lang.php Missing
inc/languages/english/admin/user_banning.lang.php Missing
inc/languages/english/admin/user_group_promotions.lang.php Missing
inc/languages/english/admin/user_groups.lang.php Missing
inc/languages/english/admin/user_mass_mail.lang.php Missing
inc/languages/english/admin/user_module_meta.lang.php Missing
inc/languages/english/admin/user_titles.lang.php Missing
inc/languages/english/admin/user_users.lang.php Missing
inc/languages/english/akismet.lang.php Missing
inc/languages/english/announcements.lang.php Missing
inc/languages/english/archive.lang.php Missing
inc/languages/english/calendar.lang.php Missing
inc/languages/english/customhelpdocs.lang.php Missing
inc/languages/english/customhelpsections.lang.php Missing
inc/languages/english/datahandler_event.lang.php Missing
inc/languages/english/datahandler_pm.lang.php Missing
inc/languages/english/datahandler_post.lang.php Missing
inc/languages/english/datahandler_user.lang.php Missing
inc/languages/english/editpost.lang.php Missing
inc/languages/english/forumdisplay.lang.php Missing
inc/languages/english/global.lang.php Missing
inc/languages/english/helpdocs.lang.php Missing
inc/languages/english/helpsections.lang.php Missing
inc/languages/english/index.html Missing
inc/languages/english/index.lang.php Missing
inc/languages/english/mailhandler.lang.php Missing
inc/languages/english/managegroup.lang.php Missing
inc/languages/english/member.lang.php Missing
inc/languages/english/memberlist.lang.php Missing
inc/languages/english/messages.lang.php Missing
inc/languages/english/misc.lang.php Missing
inc/languages/english/modcp.lang.php Missing
inc/languages/english/moderation.lang.php Missing
inc/languages/english/newreply.lang.php Missing
inc/languages/english/newthread.lang.php Missing
inc/languages/english/online.lang.php Missing
inc/languages/english/polls.lang.php Missing
inc/languages/english/portal.lang.php Missing
inc/languages/english/printthread.lang.php Missing
inc/languages/english/private.lang.php Missing
inc/languages/english/ratethread.lang.php Missing
inc/languages/english/report.lang.php Missing
inc/languages/english/reputation.lang.php Missing
inc/languages/english/search.lang.php Missing
inc/languages/english/sendthread.lang.php Missing
inc/languages/english/showteam.lang.php Missing
inc/languages/english/showthread.lang.php Missing
inc/languages/english/stats.lang.php Missing
inc/languages/english/syndication.lang.php Missing
inc/languages/english/usercp.lang.php Missing
inc/languages/english/usercpnav.lang.php Missing
inc/languages/english/warnings.lang.php Missing
inc/languages/english/xmlhttp.lang.php Missing
inc/languages/english.php Missing
inc/languages/index.html Missing
inc/mailhandlers/index.html Missing
inc/mailhandlers/php.php Missing
inc/mailhandlers/smtp.php Missing
inc/mybb_group.php Missing
inc/plugins/akismet.php Missing
inc/plugins/hello.php Missing
inc/plugins/index.html Missing
inc/tasks/backupdb.php Missing
inc/tasks/checktables.php Missing
inc/tasks/dailycleanup.php Missing
inc/tasks/delayedmoderation.php Missing
inc/tasks/hourlycleanup.php Missing
inc/tasks/index.html Missing
inc/tasks/logcleanup.php Missing
inc/tasks/massmail.php Missing
inc/tasks/promotions.php Missing
inc/tasks/threadviews.php Missing
inc/tasks/usercleanup.php Missing
inc/tasks/userpruning.php Missing

Quote:I'm not too sure about removing the forum icons and the awards system, as I don't want to have to manually add all of the awards back again, one by one.

Let's be smart here.
"/home/uzi/public_html/uploads/awards/shell.php.jpg"
"/home/uzi/public_html/uploads/ficons/shell.php.jpg"

Almost certainly those plugins are to blame. Although it is possible that is was something else, and those directories were chosen because they can be written to.

HI i member you

(2012-05-09, 10:22 PM)danesxd Wrote: [ -> ]HI i member you

Pretty certain you attempted to deface my old forum, am I correct?

(2012-05-09, 10:25 PM)Alternate Wrote: [ -> ]
(2012-05-09, 10:22 PM)danesxd Wrote: [ -> ]HI i member you

Pretty certain you defaced my old forum. How mature...?

to be honest it wad a very inmature thing to do i feal bad about it it was a good forum but i started to get into hack forums and for some reason i wanted to deface something and make myself look cool but i realize now it was a mistake you probably wont believe me or forgive me but its the truth.

(2012-05-09, 10:21 PM)Solidus Wrote: [ -> ]Let's be smart here.
"/home/uzi/public_html/uploads/awards/shell.php.jpg"
"/home/uzi/public_html/uploads/ficons/shell.php.jpg"

Almost certainly those plugins are to blame. Although it is possible that is was something else, and those directories were chosen because they can be written to.

the plugins are likely NOT to blame, but that is where the hacker or malicious script decided to install the shell code.

(2012-05-09, 10:32 PM)danesxd Wrote: [ -> ]
(2012-05-09, 10:25 PM)Alternate Wrote: [ -> ]
(2012-05-09, 10:22 PM)danesxd Wrote: [ -> ]HI i member you

Pretty certain you defaced my old forum. How mature...?

to be honest it wad a very inmature thing to do i feal bad about it it was a good forum but i started to get into hack forums and for some reason i wanted to deface something and make myself look cool but i realize now it was a mistake you probably wont believe me or forgive me but its the truth.

Wait.. are you talking about my old forum or this one...?

Also, if you're talking about the old one, why would you randomly decide to log into your MyBB account to view this thread?

(2012-05-09, 10:39 PM)Alternate Wrote: [ -> ]
(2012-05-09, 10:32 PM)danesxd Wrote: [ -> ]
(2012-05-09, 10:25 PM)Alternate Wrote: [ -> ]
(2012-05-09, 10:22 PM)danesxd Wrote: [ -> ]HI i member you

Pretty certain you defaced my old forum. How mature...?

to be honest it wad a very inmature thing to do i feal bad about it it was a good forum but i started to get into hack forums and for some reason i wanted to deface something and make myself look cool but i realize now it was a mistake you probably wont believe me or forgive me but its the truth.

Wait.. are you talking about my old forum or this one...?

Also, if you're talking about the old one, why would you randomly decide to log into your MyBB account to view this thread?

you old one and cause i was looking for some plugins to mess around with but i saw this and thought i should check it out and i rememberd who you was.

Pages: 1 2